With the orgs feature on PyPI, there's a PyPA org that exists already — https://pypi.org/org/pypa/. Why not make use of it?

UPD: Dustin explained the implications as an FAQ in the ML: https://mail.python.org/archives/list/pypa-committers@python.org/thread/E6MWIHEK3M232UILXGQFYPHGJHF7VYW7/.

I don't own pypa so can't really make that transition.

I think @pradyunsg might have access. Or @di. Though, for this to happen, they have to have access to both the virtualenv project (as an Owner) on PyPI and to the org + have a Manager+ access in the org.

You'll need to invite that individual to the virtualenv project, I suppose.

Oh.. Maybe @pfmoore is in the org? That would probably be enough.

What would being in the pypa org on PyPI mean? Would it alter who can do releases or manage the project? If so, I'm not sure that's necessarily something we'd want. I don't even know who has rights on the pypa org :-(

Edit: Actually I don't seem to be in the pypa org, so if this project was moved, would that mean I lose my rights on the project? I'm not very active, but removing maintainers seems like a bad idea for bus factor reasons if nothing else...

The individuals can still be added with Owner or Maintainer privileges. It'll show up under the org and the org will be linked from the project page.
Additionally, there would be a possibility to have teams added with the corresponding privileges. The team members aren't listed on the public project page but could publish if there's enough privileges configured. The individually added people are listed.

The trusted publishing setup isn't affected as it's connected to the projects and not the users.

As for the org owners, they are not public but I'd assume @di since he's just move pip-audit there. He'll know more since I don't have visibility into the org.

See my comments on the equivalent issue you raise over on the pip tracker. Basically, I'm -1 on doing this until we understand the implications on project governance better. And I think it should be a PyPA-wide decision, not a per-project one.

not a per-project one.

I'd argue that our current governance model does not allow authority over such per project topics. So must remain project specific.

I'd argue that our current governance model does not allow authority over such per project topics. So must remain project specific.

Sorry, I wasn't clear. Whether to be part of the pypa org is a per-project decision, certainly. But whether and how to manage the pypa org is a PyPA decision, and as far as I can tell, projects can't reasonably join the pypa org until that's sorted out (if for no other reason than we have no process at the moment for deciding who will be owners/members of the PyPA org on PyPI, and hence be able to manage projects in that org - something I assume individual projects will care about).

See pypa/pip#12250 (comment) -- let's hold off on this.

@gaborbernat Dustin posted some implications FAQ in the ML here: https://mail.python.org/archives/list/pypa-committers@python.org/thread/E6MWIHEK3M232UILXGQFYPHGJHF7VYW7/.

I did reach out to him to go ahead, but he didn't get back since then.

So apparently it's already been transferred. Closing.